When a compromise of security or a unauthorized/illegal action associated with a computer is suspected, it is important that steps are taken to ensure the protection of the data within the computer and/or storage media.

The initial response to a computer security incident may be more important than later technical analysis of the computer system because of the actions taken by incident response team members. Actions taken by the incident response team impact subsequent laboratory examinations of the computer and/or media. Of most importance is that the first responder act appropriately.

In the event of a suspected computer incident, care must be taken to preserve evidence in its original state. While it may seem that simply viewing files on a system would not result in alteration of the original media, opening a file changes it. From a legal sense, it is no longer the original evidence and may be inadmissible in any subsequent legal or administrative proceedings.

The activities/procedures for securing a suspected computer incident scene include

Securing the scene

Shutting down the computer

Labeling the evidence

Documenting the evidence

Transporting the evidence

Providing chain-of-custody documentation

Securing the scene

The entire work area, office, or cubicle is a potential crime scene, not just the computer itself. The work area should be secured and protected to maintain the integrity of the scene and the storage media. While waiting for the official incident responder, no one should be allowed to touch the computer, to include shutting the computer down or exiting from any programs/files in use at the time or remove anything from the scene. All individuals at a scene should be known and briefly interviewed to determine their access to the computer and work area before asking them to leave.

Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system. It is important to remember that the data present within the storage media is potential evidence and should be treated accordingly. Any attempts to retrieve data by unqualified individuals should be avoided as these attempts could either compromise the integrity of the files or result in the files being inadmissible in legal or administrative proceedings.

Procedure for previewing and taking BitStream Backup

Photograph the Scene

If the computer is ON then photograph the screen and note down the names of programs being run.

Do not switch off the computer. Simply pull the power cord from behind the back of the computer.

Open the computer and inspect the inside for unusual connections or configuration.

Disconnect the Power cables to all the storage hard drives

Switch on the suspect computer and run the CMOS Setup routine to ensure that the computer is set to boot
from floppy drive. For entering into the CMOS Setup, most of the systems will flash the correct key on the
screen as the system boots. If not, the following setup keys are common:

Compaq Computers F10

IBM Computers F1

Some PC Clones Del

OR F2

OR Ctrl-Alt-Esc

OR Ctrl-Alt-Enter

Make sure that the computer is set the Boot Sequence from floppy drive. Exit the BIOS Setup, by saving the changes.
Switch off the system.

Insert the BitStream Software Booting floppy into the floppy drive. Switch on the computer. Make sure system is booting with floppy.

Power off the computer and reconnect the disk drive power cables.

For Previewing

Remove the parallel port cable from the computer and connect the cable from the kit brought by the team.

Connect the other end of the cable to the PC or Notebook PC brought by the team which contains the
analysis software.

Run the BitStream Software from the floppy, and make sure all the storage devices are shown and all are
locked by default.

Run the server mode

Switch ON the Analysis Computer (PC bought by the team) and it as client.

Use the Analysis Software to see the content of the suspect disk.

For BitStream Copy

Connect the destination disk (bought by the team) to the free IDE port / connector and connect power cable to the destination HDD.

Turn ON the computer and allow the computer to boot from the floppy drive.

Run the BitStream Software from the floppy, and make sure all the storage devices are shown and all are locked by default.

Take the media hash of the suspect computer hard disk and note it down. This may take hours.

Unlock the destination disk

After taking the media hash value start the BitStream copying. This process will take long time to complete. Please ensure that the power will not be disturbed during this operation.

After copying is over, switch off the computer. Remove the destination disk connected to it.

Disconnect the suspect hard disk from the computer. Note down its make, model no, serial number and any noticeable things on the hard disk

Pack the suspect hard disk in a Packing Box, seal it using tapes and get it signed by the witnesses.

Documentation

Detailed notes should be maintained during all aspects of the scene processing. This not only includes the usual who, what, where, when but overall observations of the scene. A evidence/property document should contain entries with a description of the items (model and serial number), any visible markings present on the item, the condition of the item, the manner it was marked for evidence and the location from within the scene it was seized. Every item of evidence has its own characteristics, but should be identified in a manner it can be easily identified at a later date. Items should be collected as found and documented.

Handling and Transportation

Diskettes have fragile magnetic media. If they are packed loosely and allowed to strike each other repeatedly during transit, the media could be damaged and the data lost.

Hard disks should not be subjected to shocks. When transporting a CPU, devices, or media, they should not be placed in a vehicle trunk or area where there will be drastic changes in temperature.